Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <750914AB-F2F5-4F92-A608-2939E0996B0F@beckweb.net>
Date: Wed, 19 Oct 2022 17:08:51 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.13
* Compuware Topaz Utilities Plugin 1.0.9
* Compuware Xpediter Code Coverage Plugin 1.0.8
* Contrast Continuous Application Security Plugin 3.10
* Generic Webhook Trigger Plugin 1.84.2
* GitLab Plugin 1.5.36
* Job Import Plugin 3.6
* Katalon Plugin 1.0.33 and 1.0.34
* Mercurial Plugin 1260.vdfb_723cdcc81
* NUnit Plugin 0.28
* Pipeline: Deprecated Groovy Libraries Plugin 588.v576c103a_ff86
* Pipeline: Groovy Libraries Plugin 613.v9c41a_160233f
* Pipeline: Groovy Plugin 2803.v1a_f77ffcc773
* Pipeline: Input Step Plugin 456.vd8a_957db_5b_e9
* Pipeline: Stage View Plugin 2.27
* Pipeline: Supporting APIs Plugin 839.v35e2736cfd5c
* REPO Plugin 1.16.0
* Script Security Plugin 1184.v85d16b_d851b_3
* Tuleap Git Branch Source Plugin 3.2.5

Additionally, we announce unresolved security issues in the following
plugins:

* 360 FireLine Plugin
* Compuware Strobe Measurement Plugin
* Compuware Topaz for Total Test Plugin
* Custom Checkbox Parameter Plugin
* NeuVector Vulnerability Scanner Plugin
* S3 Explorer Plugin
* ScreenRecorder Plugin
* XFramium Builder Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-10-19/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2824 (1) / CVE-2022-43401 through CVE-2022-43404
Script Security Plugin provides a sandbox feature that allows low
privileged users to define scripts, including Pipelines, that are generally
safe to execute. Calls to code defined inside a sandboxed script are
intercepted, and various allowlists are checked to determine whether the
call is to be allowed.

Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and
Pipeline: Groovy Plugin:

* In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in
  Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts
  performed implicitly by the Groovy language runtime were not intercepted
  by the sandbox.
  This includes casts performed when returning values from methods, when
  assigning local variables, fields, properties, and when defining default
  arguments for closure, constructor, and method parameters (CVE-2022-43401
  in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
* In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when
  casting an array-like value to an array type, per-element casts to the
  component type of the array are not intercepted by the sandbox
  (CVE-2022-43403).
* In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted
  constructor bodies and calls to sandbox-generated synthetic constructors
  can be used to construct any subclassable type (due to an incomplete fix
  for SECURITY-1754 in the 2020-03-09 security advisory) (CVE-2022-43404).

These vulnerabilities allow attackers with permission to define and run
sandboxed scripts, including Pipelines, to bypass the sandbox protection
and execute arbitrary code in the context of the Jenkins controller JVM.


SECURITY-2824 (2) / CVE-2022-43405 (Pipeline: Groovy Libraries Plugin)
  & CVE-2022-43406 (Pipeline: Deprecated Groovy Libraries Plugin)
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline:
Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy
Libraries Plugin) define the `library` Pipeline step, which allows Pipeline
authors to dynamically load Pipeline libraries. The return value of this
step can be used to instantiate classes defined in the loaded library.

In Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier and in
Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and
earlier, the `library` step can be used to invoke sandbox-generated
synthetic constructors in crafted untrusted libraries and construct any
subclassable type. This is similar to SECURITY-582 in the 2017-08-07
security advisory, but in a different plugin.

This vulnerability allows attackers with permission to define untrusted
Pipeline libraries and to define and run sandboxed Pipelines, to bypass the
sandbox protection and execute arbitrary code in the context of the Jenkins
controller JVM.


SECURITY-2880 / CVE-2022-43407
Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not
restrict or sanitize the optionally specified ID of the `input` step. This
ID is used for the URLs that process user interactions for the given
`input` step (proceed or abort) and is not correctly encoded.

This allows attackers able to configure Pipelines to have Jenkins build
URLs from `input` step IDs that would bypass the CSRF protection of any
target URL in Jenkins when the `input` step is interacted with.


SECURITY-2828 / CVE-2022-43408
Pipeline: Stage View Plugin provides a visualization of Pipeline builds. It
also allows users to interact with `input` steps from Pipeline: Input Step
Plugin.

Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the
ID of `input` steps when using it to generate URLs to proceed or abort
Pipeline builds.

This allows attackers able to configure Pipelines to specify `input` step
IDs resulting in URLs that would bypass the CSRF protection of any target
URL in Jenkins.


SECURITY-2881 / CVE-2022-43409
Pipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that
send POST requests when clicked, to build logs. These links are used by
Pipeline: Input Step Plugin to allow users to proceed or abort the build,
or by Pipeline: Job Plugin to allow users to forcibly terminate the build
after aborting it.

Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not
sanitize or properly encode URLs of these hyperlinks in build logs.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to create Pipelines.


SECURITY-2831 / CVE-2022-43410
Mercurial Plugin provides a webhook endpoint at `/mercurial/notifyCommit`
that can be used to notify Jenkins of changes to an SCM repository. This
endpoint receives a repository URL, and Jenkins will schedule polling for
all jobs configured with the specified repository. It can be accessed with
GET requests and without authentication.

In Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the
webhook endpoint will provide information about which jobs were triggered
or scheduled for polling, including jobs the user has no permission to
access. This allows attackers with knowledge of Mercurial repository URLs
to obtain information about the existence of jobs configured with this
Mercurial repository.


SECURITY-2877 / CVE-2022-43411
GitLab Plugin 1.5.35 and earlier does not use a constant-time comparison
when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.


SECURITY-2874 / CVE-2022-43412
Generic Webhook Trigger Plugin 1.84.1 and earlier does not use a
constant-time comparison when checking whether the provided and expected
webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.


SECURITY-2791 / CVE-2022-43413
Job Import Plugin 3.5 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-2551 / CVE-2022-43414
NUnit Plugin 0.27 and earlier implements an agent-to-controller message
that parses files inside a user-specified directory as test results.

This allows attackers able to control agent processes to obtain test
results from files in an attacker-specified directory on the Jenkins
controller.


SECURITY-2337 / CVE-2022-43415
REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control which `repo` binary is executed on
agents to have Jenkins parse a crafted XML document that uses external
entities for extraction of secrets from the Jenkins controller or
server-side request forgery.


SECURITY-2844 / CVE-2022-43416
Katalon Plugin 1.0.32 and earlier implements an agent/controller message
that does not limit where it can be executed and allows invoking Katalon
with configurable arguments.

It allows attackers able to control agent processes to invoke Katalon on
the Jenkins controller with attacker-controlled version, install location,
and arguments. Attackers additionally able to create files on the Jenkins
controller (e.g., attackers with Item/Configure permission could archive
artifacts) can invoke arbitrary OS commands.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2845 (1) / CVE-2022-43417
Katalon Plugin 1.0.32 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-2845 (2) / CVE-2022-43418
Katalon Plugin 1.0.33 and earlier does not require POST requests for
several HTTP endpoints, resulting in cross-site request forgery (CSRF)
vulnerabilities.

This vulnerability allows attackers to connect to an attacker-specified URL
using attacker-specified credentials IDs obtained through another method,
capturing credentials stored in Jenkins.


SECURITY-2846 / CVE-2022-43419
Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job
`config.xml` files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.


SECURITY-2836 / CVE-2022-43420
Contrast Continuous Application Security Plugin 3.9 and earlier does not
escape data returned from the Contrast service when generating a report.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control or modify Contrast service API
responses.


SECURITY-2852 / CVE-2022-43421
Tuleap Git Branch Source Plugin provides a webhook endpoint at
`/tuleap-hook/` that can be used to trigger Tuleap projects configured with
a specified repository.

In Tuleap Git Branch Source Plugin 3.2.4 and earlier, this endpoint can be
accessed without authentication.

This allows unauthenticated attackers to trigger Tuleap projects whose
configured repository matches the attacker-specified value.


SECURITY-2620 / CVE-2022-43422
Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an
agent/controller message that does not limit where it can be executed.

It allows attackers able to control agent processes to obtain the values of
Java system properties from the Jenkins controller process.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2622 / CVE-2022-43423
Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and
earlier implements an agent/controller message that does not limit where it
can be executed.

It allows attackers able to control agent processes to obtain the values of
Java system properties from the Jenkins controller process.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2627 / CVE-2022-43424
Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an
agent/controller message that does not limit where it can be executed.

It allows attackers able to control agent processes to obtain the values of
Java system properties from the Jenkins controller process.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2797 / CVE-2022-43425
Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name
and description of the parameter types it provides.

This results in stored cross-site scripting (XSS) vulnerabilites
exploitable by attackers with Item/Configure permission.

Exploitation of this vulnerability requires that parameters are listed on
another page, like the "Build With Parameters" and "Parameters" pages
provided by Jenkins (core), and that those pages are not hardened to
prevent exploitation. Jenkins (core) has prevented exploitation of
vulnerabilities of this kind on the "Build With Parameters" and
"Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 /
CVE-2017-2601 fix. Additionally, several plugins have previously been
updated to list parameters in a way that prevents exploitation by default,
see SECURITY-2617 in the 2022-04-12 security advisory for a list.

As of publication of this advisory, there is no fix.


SECURITY-2480 / CVE-2022-43426
S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration
file `s3explorer.xml` on the Jenkins controller as part of its
configuration.

While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8
and earlier the global configuration form does not mask the
AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to
observe and capture it.

As of publication of this advisory, there is no fix.


SECURITY-2623 / CVE-2022-43427
Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2624 / CVE-2022-43428 (Java system properties) & CVE-2022-43429 (read files)
Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements two
agent/controller messages that do not limit where they can be executed.

* `RemoteSystemProperties` allows attackers able to control agent processes
to obtain the values of Java system properties from the Jenkins
controller process (CVE-2022-43428).
* `GetRemoteUTF8FileContents` allows attackers able to control agent
processes to read arbitrary files on the Jenkins controller file system
(CVE-2022-43429).

NOTE: These vulnerabilities are only exploitable in Jenkins 2.318 and
earlier, LTS 2.303.2 and earlier.

As of publication of this advisory, there is no fix.


SECURITY-2625 / CVE-2022-43430
Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure
its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control the input files for the 'Topaz for
Total Test - Execute Total Test scenarios' build step to have Jenkins parse
a crafted XML document that uses external entities for extraction of
secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2631 / CVE-2022-43431
Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2863 / CVE-2022-43432
Jenkins sets the `Content-Security-Policy` header to static files served by
Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces,
`/userContent`, or archived artifacts, unless a Resource Root URL is
specified.

XFramium Builder Plugin 1.0.22 and earlier globally disables the
`Content-Security-Policy` header for static files served by Jenkins as soon
as it is loaded. This allows cross-site scripting (XSS) attacks by users
with the ability to control files in workspaces, archived artifacts, etc.

NOTE: Jenkins instances with Resource Root URL configured are unaffected.

As of publication of this advisory, there is no fix.


SECURITY-2864 / CVE-2022-43433
Jenkins sets the `Content-Security-Policy` header to static files served by
Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces,
`/userContent`, or archived artifacts, unless a Resource Root URL is
specified.

ScreenRecorder Plugin 0.7 and earlier programmatically updates the
Java system property allowing administrators to customize the
`Content-Security-Policy` header for static files served by Jenkins to
include `media-src: 'self'`. On a Jenkins instance with default
configuration, this effectively disables all other directives in the
default rule set, including `script-src`. This allows cross-site scripting
(XSS) attacks by users with the ability to control files in workspaces,
archived artifacts, etc.

NOTE: Jenkins instances with Resource Root URL configured are unaffected.

As of publication of this advisory, there is no fix.


SECURITY-2865 / CVE-2022-43434
Jenkins sets the `Content-Security-Policy` header to static files served by
Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces,
`/userContent`, or archived artifacts, unless a Resource Root URL is
specified.

NeuVector Vulnerability Scanner Plugin 1.20 and earlier globally disables
the `Content-Security-Policy` header for static files served by Jenkins
whenever the 'NeuVector Vulnerability Scanner' build step is executed. This
allows cross-site scripting (XSS) attacks by users with the ability to
control files in workspaces, archived artifacts, etc.

NOTE: Jenkins instances with Resource Root URL configured are unaffected.

As of publication of this advisory, there is no fix.


SECURITY-2866 / CVE-2022-43435
Jenkins sets the `Content-Security-Policy` header to static files served by
Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces,
`/userContent`, or archived artifacts, unless a Resource Root URL is
specified.

360 FireLine Plugin 1.7.2 and earlier globally disables the
`Content-Security-Policy` header for static files served by Jenkins
whenever the 'Execute FireLine' build step is executed, if the option 'Open
access to HTML with JS or CSS' is checked. This allows cross-site scripting
(XSS) attacks by users with the ability to control files in workspaces,
archived artifacts, etc.

NOTE: Jenkins instances with Resource Root URL configured are unaffected.

As of publication of this advisory, there is no fix.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.